Greater Saskatoon Catholic
Schools
I.T. Email Procedures
1.0
Overview
Email is an essential component of business communication; however it presents
a particular set of challenges due to its potential to introduce a security
threat to the network. Email can also
have an effect on GSCS's liability by providing a written record of
communications, so having a well thought out policy is essential. This policy outlines expectations for appropriate,
safe, and effective email use.
2.0 Purpose
The purpose of these procedures is to detail GSCS's usage guidelines for the
email system. These procedures will help
GSCS reduce risk of an email-related security incident, foster good business
communications both internal and external to GSCS, and provide for consistent
and professional application of GSCS's email principles.
3.0 Scope
The scope of these prodecudres includes GSCS's email system in its entirety,
including desktop and/or web-based email applications, server-side
applications, email relays, and associated hardware. It covers all electronic mail sent from the
system, as well as any external email accounts accessed from GSCS network.
4.0 Procedures
4.1 Proper Use of GSCS Email Systems
Users are asked to exercise common sense when
sending or receiving email from GSCS accounts. Additionally, the following
applies to the proper use of GSCS email system.
4.1.1 Sending Email
When using a GSCS email account, email must
be addressed and sent carefully. Users
should keep in mind that GSCS loses any control of email once it is sent
external to GSCS network. Users must take
extreme care when typing in addresses, particularly when email address
auto-complete features are enabled; using the "reply all" function;
or using distribution lists in order to avoid inadvertent information
disclosure to an unintended recipient.
Careful use of email will help GSCS avoid the unintentional disclosure
of sensitive or non-public information.
4.1.2 Personal Use and General Guidelines
Personal usage of GSCS email systems is
permitted as long as:
a) Such usage does not
negatively impact the corporate computer network.
b) Such usage does not
negatively impact the user's job performance.
General Guidelines:
a) The following is
never permitted: spamming, harassment, communicating threats, solicitations,
chain letters, or pyramid schemes. This
list is not exhaustive, but is included to provide a frame of reference for
types of activities that are prohibited.
b) The user is
prohibited from forging email header information or attempting to impersonate
another person.
c) Email is an insecure
method of communication, and thus information that is considered confidential
or proprietary to GSCS may not be sent via email, regardless of the recipient,
without proper encryption.
d) It is a GSCS expectation
not to open email attachments from unknown senders, or when such attachments
are unexpected.
e) Email systems were
not designed to transfer large files and as such emails should not contain
attachments of excessive file size.
Please note that the topics above may be
covered in more detail in other sections of these procedures.
4.1.3 Business Communications and Email
GSCS uses email as an important communication
medium for business operations. Users of
the corporate email system are expected to check and respond to email in a
consistent and timely manner during business hours.
Additionally, users are asked to recognize that email sent from a GSCS account
reflects on GSCS, and, as such, email must be used with professionalism and
courtesy.
4.1.4 Email Signature
Email signatures (contact information
appended to the bottom of each outgoing email) may or may not be used, at the
discretion of the individual user. Users
are asked to keep any email signatures professional in nature.
4.1.5 Auto-Responders
GSCS recommends the use of an auto-responder
(if the email system is equipped with such a feature) if the user will be out
of the office for an entire business day or more. The auto-response should notify the sender
that the user is out of the office, the date of the user's return, and who the
sender should contact if immediate assistance is required.
4.1.6 Mass Emailing
GSCS makes the distinction between the
sending of mass emails and the sending of unsolicited email (spam). Mass emails may be useful when communicating
with GSCS's employees, students and parents and is allowed as the situation
dictates. The sending of spam, on the
other hand, is strictly prohibited. Mass
emails to the division must have the approval of the Division Communications
Officer.
4.1.7 Opening Attachments
Users must use care when opening email
attachments. Viruses, Trojans, and other
malware can be easily delivered as an email attachment. Users should:
• Never open unexpected email
attachments.
• Never open email attachments from
unknown sources.
• Never click links within email
messages unless he or she is certain of the link's safety. It is often best to copy and paste the link
into your web browser, or retype the URL, as specially-formatted emails can
hide a malicious URL.
GSCS may use methods to block what it considers to be dangerous emails or strip
potentially harmful email attachments as it deems necessary.
4.1.8 Monitoring and Privacy
Users should expect no privacy when using the
corporate network or GSCS resources.
Such use may include but is not limited to: transmission and storage of
files, data, and messages. GSCS reserves
the right to monitor any and all use of the computer network. To ensure compliance with GSCS policies this
may include the interception and review of any emails, or other messages sent
or received, inspection of data stored on personal file directories, hard
disks, and removable media.
4.1.9 GSCS Ownership of Email
Users should be advised that GSCS owns and
maintains all legal rights to its email systems and network, and thus any email
passing through these systems is owned by GSCS and it may be subject to use for
purposes not be anticipated by the user.
Keep in mind that email may be backed up, otherwise copied, retained, or
used for legal, disciplinary, or other reasons.
Additionally, the user should be advised that email sent to or from
certain public or governmental entities may be considered public record.
4.1.10 Contents of Received Emails
Users must understand that GSCS has little
control over the contents of inbound email, and that this email may contain
material that the user finds offensive.
If unsolicited email becomes a problem, GSCS may attempt to reduce the
amount of this email that the users receive, however no solution will be 100
per cent effective. The best course of
action is to not open emails that, in the user's opinion, seem suspicious. If the user is particularly concerned about
an email, or believes that it contains illegal content, he or she should notify
his or her supervisor or IT Services.
4.1.11 Access to Email from Mobile Phones
Many mobile phones or other devices, often
called smartphones, provide the capability to send and receive email. GSCS permits users to access GSCS email
system from a mobile phone. Refer to the
Mobile Device Procedures for more
information.
4.1.12 Email Regulations
Any specific regulations (industry,
governmental, legal, etc.) relating to GSCS's use or retention of email
communications must be listed here or appended to this policy.
4.2 External and/or Personal Email Accounts
GSCS recognizes that users may have personal
email accounts in addition to their GSCS-provided account. The following sections apply to non-GSCS
provided email accounts:
4.2.1 Use for GSCS Business
Users must use the corporate email system for
all business-related email. Users are
prohibited from sending business email from a non-GSCS-provided email account.
4.2.2 Access from GSCS Network
Users are permitted to access external or
personal email accounts from the corporate network, as long as such access uses
no more than a trivial amount of the users' time and GSCS resources.
4.2.3 Use for Personal Reasons
Users are strongly encouraged to use a non-GSCS-provided
(personal) email account for any non-business communications. Users must follow applicable policies
regarding the access of non-GSCS-provided accounts from GSCS network.
4.3 Confidential Data and Email
The following sections relate to confidential
data and email:
4.3.1 Passwords
As with any GSCS passwords, passwords used to
access email accounts must be kept confidential and used in adherence with the
Password Policy. At the discretion of
the IT Manager, GSCS may further secure email with certificates, two factor
authentication, or another security mechanism.
4.3.2 Emailing Confidential Data
Email is an insecure means of
communication. Users should think of
email as they would a postcard, which, like email, can be intercepted and read
on the way to its intended recipient.
GSCS recommends, but does not require, the encryption of email that contains
confidential information, this is particularly important when the email is sent
to a recipient external to GSCS.
Further guidance on the treatment of confidential information exists in GSCS's
Confidential Data Policy. If information
contained in the Confidential Data Policy conflicts with this policy, the
Confidential Data Policy will apply.
4.4 GSCS Administration of Email
GSCS will use its best effort to administer
GSCS's email system in a manner that allows the user to both be productive
while working as well as reduce the risk of an email-related security incident.
4.4.1 Filtering of Email
A good way to mitigate risk from email is to
filter it before it reaches the user so that the user receives only safe,
business-related messages. For this
reason, GSCS will filter email at the Internet gateway and/or the mail server,
in an attempt to filter out spam, viruses, or other messages that may be deemed
A) contrary to this policy, or B) a potential risk to GSCS's IT security. No method of email filtering is 100 per cent
effective, so the user is asked additionally to be cognizant of this policy and
use common sense when opening emails.
Additionally, many email and/or anti-malware programs will identify and
quarantine emails that it deems suspicious.
This functionality may or may not be used at the discretion of the IT
Manager.
4.4.2 Email Disclaimers
The use of an email disclaimer, usually as
text appended to the end of every outgoing email message, is often recommended
as an additional component of a GSCS's risk reduction efforts. At this time GSCS does not require the use of
email disclaimers.
4.4.3 Email Deletion
Users are encouraged to delete email
periodically when the email is no longer needed for business purposes. The goal of this policy is to keep the size
of the user's email account manageable, and reduce the burden on GSCS to store
and backup unnecessary email messages.
However, users are strictly forbidden from deleting email in an attempt to hide
a violation of this or another GSCS policy.
Further, email must not be deleted when there is an active investigation
or litigation where that email may be relevant.
4.4.4 Address Format
Email addresses must be constructed in a
standard format in order to maintain consistency across GSCS. The recommended format is FirstinitialLastname@gscs.sk.ca
4.4.5 Account Activation
Email accounts will be set up for each user
determined to have a business need to send and receive GSCS email. Accounts will be set up at the time a new
hire starts with GSCS.
Accounts on GSCS email system will only be provided to non-employees of GSCS
with the permission of the IT Manager.
4.4.6 Account Termination
When a user leaves GSCS, or his or her email
access is officially terminated for another reason, GSCS will disable the
user's access to the account by disabling the account. GSCS is under no obligation to block the
account from receiving email, and may continue to forward inbound email sent to
that account to another user, or set up an auto-response to notify the sender
that the user is no longer employed by GSCS.
4.4.7 Storage Limits
As part of the email service, email storage
may be provided on GSCS servers or other devices. The email account storage size must be
limited to what is reasonable for each employee, at the determination of the IT
Manager. Storage limits may vary by
employee or position within GSCS.
4.5 Prohibited Actions
The following actions shall constitute
unacceptable use of the corporate email system.
This list is not exhaustive, but is included to provide a frame of
reference for types of activities that are deemed unacceptable. The user may not use the corporate email
system to:
·
Send
any information that is illegal under applicable laws.
·
Access
another user's email account
a. without the knowledge
or permission of that user - which should only occur in extreme circumstances
b. without the approval
of GSCS executives in the case of an investigation
c. unless such access
constitutes a function of the employee's normal job responsibilities.
·
Send
any emails that may cause embarrassment, damage to reputation, or other harm to
GSCS.
·
Disseminate
defamatory, discriminatory, vilifying, sexist, racist, abusive, rude,
harassing, annoying, insulting, threatening, obscene or otherwise inappropriate
messages or media.
·
Send
emails that cause disruption to the workplace environment or create a hostile
workplace. This includes sending emails
that are intentionally inflammatory, or that include information not conducive
to a professional working atmosphere.
·
Make
fraudulent offers for products or services.
·
Attempt
to impersonate another person or forge an email header.
·
Send
spam, solicitations, chain letters, or pyramid schemes.
·
Knowingly
misrepresent GSCS's capabilities, business practices, warranties, pricing, or
policies.
·
Conduct
non-GSCS-related business.
·
GSCS
may take steps to report and prosecute violations of this policy, in accordance
with GSCS standards and applicable laws.
4.5.1 Data Leakage
Data can leave the network in a number of
ways. Often this occurs unintentionally
by a user with good intentions. For this
reason, email poses a particular challenge to GSCS's control of its data.
Unauthorized emailing of GSCS data, confidential or otherwise, to external
email accounts for the purpose of saving this data external to GSCS systems is
prohibited. If a user needs access to
information from external systems (such as from home or while traveling), that
user should notify his or her supervisor rather than emailing the data to a
personal account or otherwise removing it from GSCS systems.
GSCS may employ data loss prevention techniques to protect against leakage of
confidential data at the discretion of the IT Manager.
4.5.2 Sending Large Emails
Email systems were not designed to transfer
large files and as such emails should not contain attachments of excessive file
size. GSCS asks that the user limit
email attachments to 10Mb or less.
The user is further asked to recognize the additive effect of large email
attachments when sent to multiple recipients, and use restraint when sending
large files to more than one person.
5.0 Enforcement
This policy will be enforced by Superintendents of Education. Violations may result in disciplinary action,
which may include suspension, restriction of access, or more severe penalties
up to and including termination of employment.
Where illegal activities are suspected, GSCS may report such activities
to the applicable authorities. If any
provision of this policy is found to be unenforceable or voided for any reason,
such invalidation will not affect any remaining provisions, which will remain
in force.
6.0
Definitions
Auto Responder An email function
that sends a predetermined response to anyone who sends an email to a certain
address. Often used by employees who
will not have access to email for an extended period of time, to notify senders
of their absence.
Certificate Also called a
"Digital Certificate." A file
that confirms the identity of an entity, such as a GSCS or person. Often used in VPN and encryption management
to establish trust of the remote entity.
Data Leakage Also called Data
Loss, data leakage refers to data or intellectual property that is pilfered in
small amounts or otherwise removed from the network or computer systems. Data leakage is sometimes malicious and
sometimes inadvertent by users with good intentions.
Email Short for electronic mail,
email refers to electronic letters and other communication sent between
networked computer users, either within a GSCS or between companies.
Encryption The process of
encoding data with an algorithm so that it is unintelligible and secure without
the key. Used to protect data during
transmission or while stored.
Mobile Device A portable device
that can be used for certain applications and data storage. Examples are PDAs or Smartphones.
Password A sequence of characters
that is used to authenticate a user to a file, computer, network, or other
device. Also known as a passphrase or
passcode.
Spam Unsolicited bulk email. Spam often includes advertisements, but can
include malware, links to infected websites, or other malicious or
objectionable content.
Smartphone A mobile telephone
that offers additional applications, such as PDA functions and email.
7.0
Revision History
Revision 1.0, 8/9/2011
Revision
2.0, 8/13/2012